IMPROVED STRONGLY DENIABLE AUTHENTICATED KEY EXCHANGES FOR

SECURE MESSAGING

Nik Ungerand

Ian Goldberg

2

Secure Messaging

3

Secure MessagingC

on

fid

en

tiali

ty

Authentication

Plaintext

TLS to Server

End-toEnd Zone

“All-Verifier”AuthenticationAnonymous Deniable

Authentication(OTR, Signal)

4

Why Deniability?

5

Deniable Messaging

A B

<B> there’s a protest about it tomorrow<B> want to go?<A> Yes!<B> ok, no phones

CryptoMagic

6

Deniable Messaging

<B> there’s a protest about it tomorrow<B> want to go?<A> Yes!<B> ok, no phones

7

Deniable Messaging…?

A B

8

Offline vs. Online Deniability

A B

<B> there’s a protest about it tomorrow<B> want to go?<A> Yes!<B> ok, no phones

CryptoMagic

A B

Offline Deniability

Online Deniability

9

Deniable Messaging…?

● See Appendix A– Attacks on OTRv3 and Signal

● Also see ia.cr/2018/424:

10

Deniable Messaging

A B

11

Deniable Messaging

A B

12

In This Paper

● Two new efficient key exchange protocols

Interactive Non-interactive

13

Security Properties

● Confidentiality● Mutual authentication● Forward secrecy● Contributiveness● Offline and online deniability

14

Crypto Toolbox

Identity key(long-term asymmetric)

Ephemeral key(short-term asymmetric)

Diffie-Hellmanshared secret

Shared session key(symmetric)

15

Crypto Toolbox

IDkey

Eph.key

Diffie-Hellmanshared secret

Signature

MAC

Ring signature

Create: need privateVerify: need public

Create: need Verify: need

Create: need one private , , orVerify: need all public , , and

Sym.key

16

Crypto Toolbox

Diffie-Hellmanshared secret

Signature MAC

Ringsignature

IDkey

Eph.key

Sym.key

17

Deniable Authenticated Key Exchanges

A BDAKE

Secure messagingprotocol

18

DAKEZ

A B

Shared key ( ):

Diffie-Hellmanshared secret

Signature MAC

Ringsignature

IDkey

Eph.key

Sym.key

19

DAKEZ: Authentication

A B

Shared key ( ):

Diffie-Hellmanshared secret

Signature MAC

Ringsignature

IDkey

Eph.key

Sym.key

Nobody elseknows

or ,so they know

20

B

DAKEZ: Authentication

A

Shared key ( ):

Diffie-Hellmanshared secret

Signature MAC

Ringsignature

IDkey

Eph.key

Sym.key

Nobody elseknows

or ,so they know

21

DAKEZ: Offline Deniability

F F

Shared key ( ):

Diffie-Hellmanshared secret

Signature MAC

Ringsignature

IDkey

Eph.key

Sym.key

22

DAKEZ: Online Deniability

A

Shared key ( ):

Diffie-Hellmanshared secret

Signature MAC

Ringsignature

IDkey

Eph.key

Sym.key

AB

23

Mobile?

24

Mobile Use

A B

“Prekeys” Recipient ID

Message

Message

25

ZDH

A B

Shared key ( ):

Diffie-Hellmanshared secret

Signature MAC

Ringsignature

IDkey

Eph.key

Sym.key

&

26

ZDH: Authentication

A B

Shared key ( ):

Diffie-Hellmanshared secret

Signature MAC

Ringsignature

IDkey

Eph.key

Sym.key

&

Nobody elseknows

so any readermust know

27

Weak Forward Secrecy

A B

(Ciphertext for & )

Collect

(Time passes)

(Like Signal, originally)

28

XZDH

A B

Shared key ( ):

Diffie-Hellmanshared secret

Signature MAC

Ringsignature

IDkey

Eph.key

Sym.key

& &

29

Is This Secure?

30

Is This Secure?

“Yes.”

31

OTRv4 Adoption

● External adoption: OTRv4 team

32

Performance

SIGMA-R(OTRv3)

DAKEZ(OTRv4)

3DH ZDHX3DH

(Signal)XZDH

(OTRv4)

Key Gen.(ms)

0.0240 0.0440 0.0228 0.0429 0.0240 0.0444

Key Exch.(ms)

0.3478 1.094 0.4229 0.778 0.5533 0.9217

ID Key(bytes)

32 32 32 32 32 32

Prekey(bytes)

- - 32 32 32 & 96 32 & 96

Key Exch.(bytes)

272 464 80 304 80 304

33

Extras in the Paper

34

Extras in the Paper

Quantum- resistanttransitional security

A

B

Efficient dual-receiverencryption

A “B”Defeatingkey-compromiseimpersonation

Implementationdetails & advice

35

Summary

● New key exchanges: DAKEZ, (X)ZDH● Secure connection, eponymous, no all-verifier

authentication required? Use these!● Code & data: crysp.org/software/dakez_xzdh● Come see OTRv4 at HotPETs● Coming soon: group messaging

Thank you!njunger@uwaterloo.ca

36

You’ve Activated My Bonus Slides!!!

37

Limited Online Deniability

A B

“Prekeys” Recipient ID

, Auth, Msg

Auth with

, Auth, Msg

38

RSDAKE and Spawn

● Standard model Random oracle model→ Random oracle model– Obscure assumptions common assumptions→ Random oracle model– Seconds milliseconds→ Random oracle model– Improved security (contributiveness, forward

secrecy)

● RSDAKE DAKEZ→ Random oracle model● Spawn ZDH→ Random oracle model

39

DAKE Comparison

40

Signal Deniability

IKA IKB

EKA EKB

1

2

1

3

IKA IKB

EKA SPKB

OTKB

1

2

1

3

4

3DH X3DH

41

Lack of Contributiveness

● Problems with non-contributory:– Can coerce a client to use a known secret– Can use a secret known to a third-party, allowing

them to decrypt without their consent

● Non-problems with non-contributory:– Contributiveness does not prevent desirable bits– Contributiveness does not defend against weak

PRNGs

42

ZDH

A B

Shared key ( ):

Diffie-Hellmanshared secret

Signature MAC

Ringsignature

IDkey

Eph.key

Sym.key

&

43

ZDH: Authentication

A B

Shared key ( ):

Diffie-Hellmanshared secret

Signature MAC

Ringsignature

IDkey

Eph.key

Sym.key

&

Nobody elseknows

or ,so they know .

They also know

44

Mitigating KCI Attacks

A B

Shared key ( ):

Diffie-Hellmanshared secret

Signature MAC

Ringsignature

IDkey

Eph.key

Sym.key

45

Online Deniability Attack for Signal

● (Alice is coerced by Judson)● Alice downloads Bob’s prekey: IKB, SPKB,

Sig(IKB, Encode(SPKB))

● Judson generates key pair with public EKA

● Alice provably reveals DH(IKA, SPKA)

● Alice sends EKA to Bob● Judson can compute the secret, Alice cannot

46

Quantum Transitional Security

● Authenticate quantum KEM, like CECPK1

47

DAKEZ

48

ZDH & XZDH